You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2019/04/23 11:49:15 UTC
[Bug 63368] TLS1.3 Client verification failures
https://bz.apache.org/bugzilla/show_bug.cgi?id=63368
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
If browser vendors are choosing not to make this work by default for HTTP/1.1
as it did for TLS/1.2 that is out of our hands, but I don't think it implies we
need to deprecate the functionality in mod_ssl.
I agree it is a functional regression which will likely impede adoption of
TLS/1.3, and I'm not aware of any workaround other than using a separate vhost
for client-cert-auth-protected resources.
There is an effort to replace PHA at application layer in HTTP/2 which makes
sense technically in the long. But that will require time and effort to
implement assume it makes it through standardization and won't benefit HTTP/1.1
users. I assume it will require support from OpenSSL as well -
https://tools.ietf.org/html/draft-ietf-httpbis-http2-secondary-certs-03
*** This bug has been marked as a duplicate of bug 62975 ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org